[meta-filesystems][dunfell][PATCH 6/8] ntfs-3g-ntfsprogs: Fix CVE-2022-30786


Ranjitsinh Rathod
 

From: Omkar Patil <omkar.patil@...>

CVE: CVE-2022-30786

Signed-off-by: Omkar Patil <omkar.patil@...>
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@...>
---
.../ntfs-3g-ntfsprogs/CVE-2022-30786-1.patch | 36 +++++++++++++++
.../ntfs-3g-ntfsprogs/CVE-2022-30786-2.patch | 45 +++++++++++++++++++
.../ntfs-3g-ntfsprogs_2021.8.22.bb | 2 +
3 files changed, 83 insertions(+)
create mode 100644 meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-1.patch
create mode 100644 meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-2.patch

diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-1.patch b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-1.patch
new file mode 100644
index 000000000..9d485fed8
--- /dev/null
+++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-1.patch
@@ -0,0 +1,36 @@
+From 838b6e35b43062353998853eab50cd0675201ed7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jean-pierre.andre@...>
+Date: Tue, 21 Sep 2021 10:54:50 +0200
+Subject: [PATCH] Made sure there is no null character in an attribute name
+
+When copying an attribute name which contains a null, it is truncated
+and this may lead to accessing non-allocated bytes when relying on the
+expected name length. Such names must therefore be rejected.
+
+CVE: CVE-2022-30786
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/n/ntfs-3g/ntfs-3g_2021.8.22-3ubuntu1.1.debian.tar.xz]
+Comment: No change in any hunk
+Signed-off-by: Omkar Patil <Omkar.Patil@...>
+
+---
+ libntfs-3g/attrib.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/libntfs-3g/attrib.c
++++ b/libntfs-3g/attrib.c
+@@ -426,7 +426,15 @@ ntfs_attr *ntfs_attr_open(ntfs_inode *ni
+ na = ntfs_calloc(sizeof(ntfs_attr));
+ if (!na)
+ goto out;
++ if (!name_len)
++ name = (ntfschar*)NULL;
+ if (name && name != AT_UNNAMED && name != NTFS_INDEX_I30) {
++ /* A null char leads to a short name and unallocated bytes */
++ if (ntfs_ucsnlen(name, name_len) != name_len) {
++ ntfs_log_error("Null character in attribute name"
++ " of inode %lld\n",(long long)ni->mft_no);
++ goto err_out;
++ }
+ name = ntfs_ucsndup(name, name_len);
+ if (!name)
+ goto err_out;
diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-2.patch b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-2.patch
new file mode 100644
index 000000000..85a2971b4
--- /dev/null
+++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs/CVE-2022-30786-2.patch
@@ -0,0 +1,45 @@
+From 5ce8941bf47291cd6ffe7cdb1797253f1cc3a86f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jean-pierre.andre@...>
+Date: Fri, 5 Nov 2021 08:41:20 +0100
+Subject: [PATCH] Made sure there is no null character in an attribute name
+ (bis)
+
+When copying an attribute name which contains a null, it is truncated
+and this may lead to accessing non-allocated bytes when relying on the
+expected name length. Such (illegal) names must therefore be rejected.
+
+CVE: CVE-2022-30786
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/n/ntfs-3g/ntfs-3g_2021.8.22-3ubuntu1.1.debian.tar.xz]
+Comment: No change in any hunk
+Signed-off-by: Omkar Patil <Omkar.Patil@...>
+
+---
+ libntfs-3g/attrib.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/libntfs-3g/attrib.c b/libntfs-3g/attrib.c
+index 51c8536f..efb91943 100644
+--- a/libntfs-3g/attrib.c
++++ b/libntfs-3g/attrib.c
+@@ -452,8 +452,19 @@ ntfs_attr *ntfs_attr_open(ntfs_inode *ni, const ATTR_TYPES type,
+
+ if (!name) {
+ if (a->name_length) {
+- name = ntfs_ucsndup((ntfschar*)((u8*)a + le16_to_cpu(
+- a->name_offset)), a->name_length);
++ ntfschar *attr_name;
++
++ attr_name = (ntfschar*)((u8*)a
++ + le16_to_cpu(a->name_offset));
++ /* A null character leads to illegal memory access */
++ if (ntfs_ucsnlen(attr_name, a->name_length)
++ != a->name_length) {
++ ntfs_log_error("Null character in attribute"
++ " name in inode %lld\n",
++ (long long)ni->mft_no);
++ goto put_err_out;
++ }
++ name = ntfs_ucsndup(attr_name, a->name_length);
+ if (!name)
+ goto put_err_out;
+ newname = name;
diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
index ea8607e6d..f74e91c93 100644
--- a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
+++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
@@ -12,6 +12,8 @@ SRC_URI = "http://tuxera.com/opensource/ntfs-3g_ntfsprogs-${PV}.tgz \
file://CVE-2022-30783.patch \
file://CVE-2022-30784.patch \
file://CVE-2022-30785_30787.patch \
+ file://CVE-2022-30786-1.patch \
+ file://CVE-2022-30786-2.patch \
"

S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}"
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

Join openembedded-devel@lists.openembedded.org to automatically receive all group messages.